Fall 2022

Prompt Response Required
By Susan Chapman, MA, MFA, PGYT
For The Record
Vol. 34 No. 4 P. 14

The latest update to the Cures Act means all electronic health information must be readily available to patients.

Patients’ access to their medical records and the requirements of health care organizations to provide those records in a timely manner have become critical topics of discussion. The 21st Century Cures Act (Cures Act) of 2016, a law that primarily aims to accelerate medical product development and innovations, also makes “sharing electronic health information the expected norm in health care.” HIPAA allows a maximum of 30 days for organizations to fulfill patient-access requests, and in reinforcing that right, the Cures Act calls on organizations to question what constitutes a reasonable delay in fulfilling medical records requests.

Patient Access
The ability for patients to access their medical records was established more than two decades ago when “[t]he 2000 HIPAA Privacy Rule established an individual’s right to access, inspect, and obtain a copy of health records, upon request, from a covered health care provider.”

In 2016, the Office for Civil Rights, which oversees HIPAA, offered clarification as it relates to the timing of that access. “The access guidance reinforced a patient’s right to access their medical records in their preferred form and format, if available, and in a timely manner,” explains Deanna Peterson, MHA, BS, RHIA, CHPS, LNHA, vice president of HIM consulting and LTC consultant at First Class Solutions.

“This issue is definitely driven by the Cures Act, under which the patient is entitled to the designated record set (DRS),” says First Class Solutions Chief Operating Officer Rose Dunn, MBA, RHIA, CPA/CGMA, CHPS, FACHE, FHFMA, FAHIMA. “If we dig into this DRS as it was originally defined by HIPAA, it constitutes any electronic document, image, wave file, etc, that was involved with billing and the care of the patient and contains individually identifiable data. People are getting hung up on the legal health record, which are those documents that were created in the course of the patient’s treatment only. The misinterpretation is that the legal health record is all that patients need. But the legal health record is just a subset of the DRS. Instead, you have to include things like fetal monitor strips, echocardiograms, X-rays, explanations of benefits, and coverage-eligibility documents, among other electronically available documents. The Cures Act is saying that health care organizations have to give the patients the DRS, if the patients request it, and there shouldn’t be any unreasonable delay. The Cures Act isn’t limiting us to what is created through the EHR. If we have converted paper to a digital, electronic format through the scanning process, then we have to include that, too.”

“The 21st Century Cures Act is trying to make sure that patients have ease of access in kind of a one-stop shop,” explains Elizabeth Delahoussaye, RHIA, CHPS, chief privacy officer at Ciox Health. “If patients want to transfer that information from one location to another, then we need to have the technology to do that, the Act says. As an example, I’m a patient, I can say to the hospital, ‘I want my records sent to Google Health.’ The hospital needs to have the technology to do that. It’s like bookkeeping programs that let you tell all the banks you have to download your information once. You do a one-step update, and the bookkeeping program grabs all of that information for you. The 21st Century Cures Act is trying to do that for the patient.”

By April 2021, all health care organizations were required to have basic clinical information available to patients within the 30-day period. However, by this October, all patients’ electronic protected health information (ePHI) must be made available.

“The definition of ePHI is broad,” Delahoussaye says. “Any information that comes in or is created and utilized in health care decisions falls under that umbrella. You can imagine that is anything that comes into a health care provider from another health care provider, Hospital A to Hospital B. If Hospital B makes a decision about my health, then that becomes part of my ePHI.”

Dunn points out that with sensitive documents such as certain laboratory and pathology results, the Cures Act has left the decision as to what constitutes their timely access to a clinician on a case-by-case basis.

“So, an organization may have decided that they would hold up, for instance, all HIV, mammography, or pathology results for 30 days to allow the provider time to talk with the patient first. That becomes an across-the-board-rule that has not technically complied with the individual determination for each specific patient,” she says. “Also, if a person goes in for an annual mammography, she wants to see the results in her portal in the next couple of business days, not wait 30 days. If a person has a chest X-ray, they don’t want to wait 30 days for the results. Distinguishing between different radiology-related exams and the ‘hold time’ for displaying each may be challenging for organizations. Regardless, 30 days is not always a reasonable timeframe as a patient. When they say 30 days is reasonable, they need to narrow down the type of test they’re referring to—for example, a diagnostic mammography as opposed to a regular screening mammography. My recommendation would be to build a trigger into the system that holds the results for a limited number of days which would then hold up the time it gets into the portal. It should be reasonable for a physician—who is also considered an ‘actor’ under the Act—to have a conversation with the patient about the results within three business days after receiving the results and to set expectations for the patient as to when to look for a diagnostic result in the portal. This is my opinion in the context of being a patient who wishes to get these items from my portal. It may take longer if I ask the facility to send me the documents or images.”

Delahoussaye agrees, adding, “Some requests take longer than others, like radiology images. Radiology films are part of the DRS. It could take a while to put that onto a CD. They could get a copy of the medical records but not everything in the DRS. There may be some time delays as facilities work among departments. The way that information is dispersed across the health care ecosystem, that is where you can encounter challenges to getting all that information pulled together in 30 days. The Cures Act is trying to use all pieces of technology, but those pieces of technology may not all talk to each other effectively.”

Also, Peterson points out some states have regulations regarding a physician’s need to discuss test results with a patient. “There are some states that have regulations that may require a delay so that a provider can review results and return them to a patient when appropriate. For example, California has some regulations that address laboratory and pathology results,” she explains.

The College of Pathologists’ Cures fact sheet provides further clarification, delineating the role of pathologists in the chain of medical record access, noting, “Pathologists can continue to report finalized reports from the laboratory information systems to ordering systems—with reasonable turnaround time.” The fact sheet confirms that the clinicians ordering the tests can decide when to release the results based on their relationships with their patients.

And, in line with Dunn’s explanation, the fact sheet further states, “There are no blanket exceptions; only case-by-case exceptions for privacy, security reasons.”

Beyond diagnostic tests and laboratory results, other factors could impact a patient’s ability to access their records within a reasonable timeframe. “The records may not be available even though we have an EHR. Maybe the EHR rolled out three years ago, but the records for the request are on paper, before that time, in multiple boxes offsite,” Delahoussaye says. “Or maybe the facility is part of a merger with another system but the EHR is different. The question then becomes, who has access to that information from the sunsetted EHR? Some states have more stringent regulations than others. It’s pretty much 30 days in general. Providers do their best to ensure that they fulfill these patient requests as soon as possible, but you have situations where you can have delays.”

Information Blocking
The Office of the National Coordinator for Health Information Technology (ONC) defines information blocking as a practice by an “actor” that is likely to interfere with the access, exchange, or use of electronic health information, except as required by law or specified in an information blocking exception. The Cures Act applies the law to health care providers, health IT developers of certified health IT, and health information exchanges and health information networks.

The ONC further states that the knowledge standard for information blocking depends on the type of actor. For instance, the standard for health care providers is that the actor “knows that such practice is unreasonable and is likely to interfere with access, exchange, or use of electronic health information.” The standard for health IT developers of certified health IT and health information networks or health information exchanges is that the actor “knows, or should know, that such practice is likely to interfere with access, exchange, or use of electronic health information.”

“If the delay in fulfilling a patient’s request causes interference, then it could constitute information blocking, which could subject the provider to enforcement actions,” Peterson explains.

According to the ONC: A determination as to whether a delay would be an interference that implicates the information-blocking regulation would require a fact-based, case-by-case assessment of the circumstances. That assessment would also determine whether the interference is with the legally permissible access, exchange, or use of EHI; whether the actor engaged in the practice with the requisite intent; and whether the practice satisfied the conditions of an exception.

“As of October 2022, the information blocking rule extends to all information in a patient’s DRS,” Peterson says. “Patients have always had the right to their DRS under HIPAA, but the information blocking rule takes it a step further that if you don’t have the means to provide the DRS as requested, then that may qualify as information blocking. The only reason, or reasons, it may not constitute as information blocking is if it falls under one of eight exceptions and certain conditions are met for each exception.”

Those eight exceptions are the following:

• preventing harm;

• protecting an individual’s privacy;

• protecting the security of the ePHI;

• the infeasibility of the request, as there may be practicality issues with fulfilling it;

• benefiting the overall performance of the health IT, which recognizes that, at times, health IT may be required to be offline or degraded for the purposes of maintenance and/or improvement;

• limiting the content and fulfillment of a request or the scope of the ePHI;

• charging fees that enhance interoperability but do not interfere with access; and

• licensing interoperability elements, which protects the value of an actor’s innovations.

“Providers need to be familiar with what those eight exceptions are,” Peterson says. “If they’re not able to fulfill a record request, then they should determine if it meets one of those eight exceptions. Otherwise, the patient may report them to the ONC.”

It’s important to keep in mind that the ONC notes that such practices will be evaluated on a case-by-case basis to determine whether information blocking has occurred. Additionally, the determination of whether information blocking occurred would be based on whether the individual or entity engaging in the practice is an actor; the claim involves EHI; the practice was required by law; the actor’s practice met the conditions of an exception; the practice rose to the level of interference; and the actor met the requisite knowledge standard.

“Ultimately, the burden of proof will be on the provider to demonstrate that they did not interfere with the access, use, or exchange of ePHI. If your organization has not assessed the difference between its legal health record and its DRS, there may be some heavy lifting to do,” Peterson notes.

Adds Delahoussaye, “Noncompliant health IT vendors are subject to a $1 million fine per violation should they interfere with the exchange of electronic health information.”

With such pricey penalties in play, Peterson recommends, “Involve your compliance, risk, privacy office, and, most importantly, your IT department to identify the DRS, where the documents, images, files, etc reside and to determine how to reduce effort on the release of information staff by placing as many of DRS elements in the patient’s portal where it is easily accessible by the patient.”

— Susan Chapman, MA, MFA, PGYT, is a Los Angeles–based freelance writer and editor.